Government Contracts

On October 21, 2016, DoD issued, and made effective on the same day, the long-awaited Final Rule on cybersecurity requirements finalizing the DFARS Safeguarding Rule and corresponding DFARS clauses.

The Final Rule largely leaves the August 2015 and December 2015 Interim Rules unchanged.  Significant changes  include that the Final Rule:

• clarifies the scope of coverage, by modifying the definition of “covered defense information” to which the requirements apply by including within the definition all forms of “controlled unclassified information” (CUI), thus aligning with the National Archives and Record Administration (NARA) final rule on CUI published September 14, 2016;

• clarifies that external cloud services housing covered defense information must comply with certain FedRAMP security requirements;

• clarifies that subcontractor flow down is only  required when covered defense information is necessary for performance of the subcontract, and that the contractor may consult with the Contracting Officer about whether the clause should flow down;

• clarifies that subcontractors must notify their primes (or next higher-tier subcontractor) when requesting variances from the security controls of NIST Special Publication 800-171; and

• exempts procurements solely for commercial off-the-shelf (COTS) technology from its requirements.

The changes in the Final Rule do not change the significance of the Interim Rules issued last year: for contracts  to which the rule applies, contractors will have to certify compliance with NIST Special Publication 800-171, and report network penetration incidents within 72 hours.  Further, contractors utilizing cloud services will not only have to ensure that those service comply with FedRAMP requirements (as noted above), but also with aspects of the Final Rule.

These requirements demonstrate the importance for DoD contractors of developing an internal cybersecurity compliance plan.

This alert was written by Daniel S. Koch, lawyer in the Government Contracts practice group at Miles & Stockbridge in the firm’s Rockville, Maryland office.

Any opinions expressed and any legal positions asserted in the article are those of the author(s) and do not necessarily reflect the opinions or positions of Miles & Stockbridge P.C. or its other lawyers. This article is for general information purposes and is not intended to be and should not be taken as legal advice on any particular matter. It is not intended to and does not create any attorney-client relationship. Because legal advice must vary with individual circumstances, do not act or refrain from acting on the basis of this article without consulting professional legal counsel. If you would like additional information on the subject matter of this article, please feel free to contact any of the lawyers listed above. If you communicate with us, whether through email or other means, your communication does not establish an attorney-client relationship with either Miles & Stockbridge P.C. or any of the firm's lawyers. At Miles & Stockbridge P.C., an attorney-client relationship can be formed only by personal contact with an individual lawyer, not by email, and requires our agreement to act as your legal counsel together with your execution of a written engagement agreement with Miles & Stockbridge P.C.